zloader | 02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37

Resubmissions

10-09-2024 16:21

240910-ttserasepr 10

28-07-2020 23:07

200728-dgaye9ycja 10

Analysis

max time kernel
298s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cYNhXOc.dll
Size

508KB
MD5

7bebb1b85a609733df0b3205406723bb
SHA1

384f07648c732cd9490b7d3bff41ce5a0911b138
SHA256

02846dbf25b333625a0720075fb47da62a946e5b0b4f9e9ba14cef514d576b37
SHA512

4147af9ed60d340218deb382374a015a3bb4cc4abc585e833e1a81ba21bf05f485e2a4cfc7b99223e9015ccda993c5ff19693ce7c00fb18701e66cd259422865
SSDEEP

6144:pThNEjn8Y+DbK916qEs+9RE3ZiK8jhUIBJawdcM+G7z7oqlpQYkYXlcYS:Zbg8Y+Db7qEs+MJZChUIBMvZA1kGd

Score

10^/10

zloader july28 july28 botnet discovery trojan

Malware Config

Extracted

Family

zloader

Botnet

july28

Campaign

july28

https://vlcafxbdjtlvlcduwhga.com/web/post.php

https://softwareserviceupdater3.com/web/post.php

https://softwareserviceupdater4.com/web/post.php

Attributes

build_id
20

rc4.plain

rsa_pubkey.plain

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3940 created 3496 3940 regsvr32.exe Explorer.EXE
Zloader, Terdot, DELoader, ZeusSphinx
Zloader is a malware strain that was initially discovered back in August 2015.
trojan botnet zloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

regsvr32.exe

description pid process target process

PID 3940 set thread context of 3924 3940 regsvr32.exe msiexec.exe

description	pid	process	target process
PID 3940 created 3496	3940	regsvr32.exe	Explorer.EXE

description	pid	process	target process
PID 3940 set thread context of 3924	3940	regsvr32.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exemsiexec.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

regsvr32.exe

pid process

3940 regsvr32.exe
3940 regsvr32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

regsvr32.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 3940 regsvr32.exe
Token: SeSecurityPrivilege 3924 msiexec.exe
Token: SeSecurityPrivilege 3924 msiexec.exe

pid	process
3940	regsvr32.exe
3940	regsvr32.exe

description	pid	process
Token: SeDebugPrivilege	3940	regsvr32.exe
Token: SeSecurityPrivilege	3924	msiexec.exe
Token: SeSecurityPrivilege	3924	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	pid	process	target process
PID 4624 wrote to memory of 3940	4624	regsvr32.exe	regsvr32.exe
PID 4624 wrote to memory of 3940	4624	regsvr32.exe	regsvr32.exe
PID 4624 wrote to memory of 3940	4624	regsvr32.exe	regsvr32.exe
PID 3940 wrote to memory of 3924	3940	regsvr32.exe	msiexec.exe
PID 3940 wrote to memory of 3924	3940	regsvr32.exe	msiexec.exe
PID 3940 wrote to memory of 3924	3940	regsvr32.exe	msiexec.exe
PID 3940 wrote to memory of 3924	3940	regsvr32.exe	msiexec.exe
PID 3940 wrote to memory of 3924	3940	regsvr32.exe	msiexec.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Windows\system32\regsvr32.exe
  regsvr32 /s C:\Users\Admin\AppData\Local\Temp\cYNhXOc.dll
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Windows\SysWOW64\regsvr32.exe
    /s C:\Users\Admin\AppData\Local\Temp\cYNhXOc.dll
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3940
- C:\Windows\SysWOW64\msiexec.exe
  msiexec.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3924-8-0x0000000000E40000-0x0000000000E6B000-memory.dmp

Filesize
172KB

Download
memory/3924-11-0x0000000000E40000-0x0000000000E6B000-memory.dmp

Filesize
172KB

Download
memory/3924-13-0x0000000000E40000-0x0000000000E6B000-memory.dmp

Filesize
172KB

Download
memory/3924-14-0x0000000000E40000-0x0000000000E6B000-memory.dmp

Filesize
172KB

Download
memory/3940-0-0x0000000010079000-0x000000001007D000-memory.dmp

Filesize
16KB

Download
memory/3940-1-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download
memory/3940-2-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download
memory/3940-3-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download
memory/3940-4-0x0000000010079000-0x000000001007D000-memory.dmp

Filesize
16KB

Download
memory/3940-10-0x0000000010000000-0x00000000100D8000-memory.dmp

Filesize
864KB

Download